summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorVirendra Thakur <virendrak@kpit.com>2023-12-22 12:40:41 +0530
committerSteve Sakoman <steve@sakoman.com>2023-12-29 05:29:14 -1000
commit0aa12e491969eac7050b6b2c6665a3fdbc070c3d (patch)
tree000047927b0dfdd2185bd1f56366d6203532c67b
parent3433d043c7ecd8368400be5dcc3a9705b237dd57 (diff)
downloadpoky-0aa12e491969eac7050b6b2c6665a3fdbc070c3d.tar.gz
binutils: fix multiple cve
Fix below CVE's CVE-2022-47007 CVE-2022-47008 CVE-2022-47010 CVE-2022-47011 CVE-2022-48063 CVE-2022-47695 (From OE-Core rev: 873163936937a583278e3cd97c6226935f2faa0c) Signed-off-by: Virendra Thakur <virendrak@kpit.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
-rw-r--r--meta/recipes-devtools/binutils/binutils-2.34.inc6
-rw-r--r--meta/recipes-devtools/binutils/binutils/CVE-2022-47007.patch32
-rw-r--r--meta/recipes-devtools/binutils/binutils/CVE-2022-47008.patch64
-rw-r--r--meta/recipes-devtools/binutils/binutils/CVE-2022-47010.patch34
-rw-r--r--meta/recipes-devtools/binutils/binutils/CVE-2022-47011.patch31
-rw-r--r--meta/recipes-devtools/binutils/binutils/CVE-2022-47695.patch57
-rw-r--r--meta/recipes-devtools/binutils/binutils/CVE-2022-48063.patch49
7 files changed, 273 insertions, 0 deletions
diff --git a/meta/recipes-devtools/binutils/binutils-2.34.inc b/meta/recipes-devtools/binutils/binutils-2.34.inc
index 4824db6dcf..032263fe63 100644
--- a/meta/recipes-devtools/binutils/binutils-2.34.inc
+++ b/meta/recipes-devtools/binutils/binutils-2.34.inc
@@ -56,5 +56,11 @@ SRC_URI = "\
56 file://CVE-2023-25588.patch \ 56 file://CVE-2023-25588.patch \
57 file://CVE-2021-46174.patch \ 57 file://CVE-2021-46174.patch \
58 file://CVE-2023-25584.patch \ 58 file://CVE-2023-25584.patch \
59 file://CVE-2022-47007.patch \
60 file://CVE-2022-47008.patch \
61 file://CVE-2022-47010.patch \
62 file://CVE-2022-47011.patch \
63 file://CVE-2022-48063.patch \
64 file://CVE-2022-47695.patch \
59" 65"
60S = "${WORKDIR}/git" 66S = "${WORKDIR}/git"
diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2022-47007.patch b/meta/recipes-devtools/binutils/binutils/CVE-2022-47007.patch
new file mode 100644
index 0000000000..ddb564bc8c
--- /dev/null
+++ b/meta/recipes-devtools/binutils/binutils/CVE-2022-47007.patch
@@ -0,0 +1,32 @@
1From 0ebc886149c22aceaf8ed74267821a59ca9d03eb Mon Sep 17 00:00:00 2001
2From: Alan Modra <amodra@gmail.com>
3Date: Fri, 17 Jun 2022 09:00:41 +0930
4Subject: [PATCH] PR29254, memory leak in stab_demangle_v3_arg
5
6 PR 29254
7 * stabs.c (stab_demangle_v3_arg): Free dt on failure path.
8Upstream-Status: Backport [https://sourceware.org/git/?p=binutils-gdb.git;a=commitdiff_plain;h=0ebc886149c22aceaf8ed74267821a59ca9d03eb]
9CVE: CVE-2022-47007
10Signed-off-by: Virendra Thakur <virendrak@kpit.com>
11Comment: Patch refreshed based on codebase.
12---
13 binutils/stabs.c | 5 ++++-
14 1 file changed, 4 insertions(+), 1 deletion(-)
15
16diff --git a/binutils/stabs.c b/binutils/stabs.c
17index 2b5241637c1..796ff85b86a 100644
18--- a/binutils/stabs.c
19+++ b/binutils/stabs.c
20@@ -5476,7 +5476,10 @@
21 dc->u.s_binary.right,
22 &varargs);
23 if (pargs == NULL)
24- return NULL;
25+ {
26+ free (dt);
27+ return NULL;
28+ }
29
30 return debug_make_function_type (dhandle, dt, pargs, varargs);
31 }
32
diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2022-47008.patch b/meta/recipes-devtools/binutils/binutils/CVE-2022-47008.patch
new file mode 100644
index 0000000000..9527390ccf
--- /dev/null
+++ b/meta/recipes-devtools/binutils/binutils/CVE-2022-47008.patch
@@ -0,0 +1,64 @@
1From d6e1d48c83b165c129cb0aa78905f7ca80a1f682 Mon Sep 17 00:00:00 2001
2From: Alan Modra <amodra@gmail.com>
3Date: Fri, 17 Jun 2022 09:13:38 +0930
4Subject: [PATCH] PR29255, memory leak in make_tempdir
5
6 PR 29255
7 * bucomm.c (make_tempdir, make_tempname): Free template on all
8 failure paths.
9Upstream-Status: Backport [https://sourceware.org/git/?p=binutils-gdb.git;a=commitdiff_plain;h=d6e1d48c83b165c129cb0aa78905f7ca80a1f682]
10CVE: CVE-2022-47008
11Signed-off-by: Virendra Thakur <virendrak@kpit.com>
12Comment: Patch refreshed based on codebase.
13---
14 binutils/bucomm.c | 20 +++++++++++---------
15 1 file changed, 11 insertions(+), 9 deletions(-)
16
17diff --git a/binutils/bucomm.c b/binutils/bucomm.c
18index fdc2209df9c..4395cb9f7f5 100644
19--- a/binutils/bucomm.c
20+++ b/binutils/bucomm.c
21@@ -542,8 +542,9 @@
22 #else
23 tmpname = mktemp (tmpname);
24 if (tmpname == NULL)
25- return NULL;
26- fd = open (tmpname, O_RDWR | O_CREAT | O_EXCL, 0600);
27+ fd = -1;
28+ else
29+ fd = open (tmpname, O_RDWR | O_CREAT | O_EXCL, 0600);
30 #endif
31 if (fd == -1)
32 {
33@@ -561,22 +562,23 @@
34 make_tempdir (const char *filename)
35 {
36 char *tmpname = template_in_dir (filename);
37+ char *ret;
38
39 #ifdef HAVE_MKDTEMP
40- return mkdtemp (tmpname);
41+ ret = mkdtemp (tmpname);
42 #else
43- tmpname = mktemp (tmpname);
44- if (tmpname == NULL)
45- return NULL;
46+ ret = mktemp (tmpname);
47 #if defined (_WIN32) && !defined (__CYGWIN32__)
48 if (mkdir (tmpname) != 0)
49- return NULL;
50+ ret = NULL;
51 #else
52 if (mkdir (tmpname, 0700) != 0)
53- return NULL;
54+ ret = NULL;
55 #endif
56- return tmpname;
57 #endif
58+ if (ret == NULL)
59+ free (tmpname);
60+ return ret;
61 }
62
63 /* Parse a string into a VMA, with a fatal error if it can't be
64
diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2022-47010.patch b/meta/recipes-devtools/binutils/binutils/CVE-2022-47010.patch
new file mode 100644
index 0000000000..d831ed4756
--- /dev/null
+++ b/meta/recipes-devtools/binutils/binutils/CVE-2022-47010.patch
@@ -0,0 +1,34 @@
1From 0d02e70b197c786f26175b9a73f94e01d14abdab Mon Sep 17 00:00:00 2001
2From: Alan Modra <amodra@gmail.com>
3Date: Mon, 20 Jun 2022 10:39:31 +0930
4Subject: [PATCH] PR29262, memory leak in pr_function_type
5
6 PR 29262
7 * prdbg.c (pr_function_type): Free "s" on failure path.
8Upstream-Status: Backport [https://sourceware.org/git/?p=binutils-gdb.git;a=commitdiff_plain;h=0d02e70b197c786f26175b9a73f94e01d14abdab]
9CVE: CVE-2022-47010
10Signed-off-by: Virendra Thakur <virendrak@kpit.com>
11Comment: Patch refreshed based on codebase.
12---
13 binutils/prdbg.c | 7 ++-----
14 1 file changed, 2 insertions(+), 5 deletions(-)
15
16diff --git a/binutils/prdbg.c b/binutils/prdbg.c
17index c1e41628d26..bb42a5b6c2d 100644
18--- a/binutils/prdbg.c
19+++ b/binutils/prdbg.c
20@@ -778,12 +778,9 @@
21
22 strcat (s, ")");
23
24- if (! substitute_type (info, s))
25- return FALSE;
26-
27+ bfd_boolean ret = substitute_type (info, s);
28 free (s);
29-
30- return TRUE;
31+ return ret;
32 }
33
34 /* Turn the top type on the stack into a reference to that type. */
diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2022-47011.patch b/meta/recipes-devtools/binutils/binutils/CVE-2022-47011.patch
new file mode 100644
index 0000000000..250756bd38
--- /dev/null
+++ b/meta/recipes-devtools/binutils/binutils/CVE-2022-47011.patch
@@ -0,0 +1,31 @@
1From 8a24927bc8dbf6beac2000593b21235c3796dc35 Mon Sep 17 00:00:00 2001
2From: Alan Modra <amodra@gmail.com>
3Date: Mon, 20 Jun 2022 10:39:13 +0930
4Subject: [PATCH] PR29261, memory leak in parse_stab_struct_fields
5
6 PR 29261
7 * stabs.c (parse_stab_struct_fields): Free "fields" on failure path.
8Upstream-Status: Backport [https://sourceware.org/git/?p=binutils-gdb.git;a=commitdiff_plain;h=8a24927bc8dbf6beac2000593b21235c3796dc35]
9CVE: CVE-2022-47011
10Signed-off-by: Virendra Thakur <virendrak@kpit.com>
11Comment: Patch refreshed based on codebase.
12---
13 binutils/stabs.c | 5 ++++-
14 1 file changed, 4 insertions(+), 1 deletion(-)
15
16diff --git a/binutils/stabs.c b/binutils/stabs.c
17index 796ff85b86a..bf3f578cbcc 100644
18--- a/binutils/stabs.c
19+++ b/binutils/stabs.c
20@@ -2368,7 +2368,10 @@
21
22 if (! parse_stab_one_struct_field (dhandle, info, pp, p, fields + c,
23 staticsp, p_end))
24- return FALSE;
25+ {
26+ free (fields);
27+ return FALSE;
28+ }
29
30 ++c;
31 }
diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2022-47695.patch b/meta/recipes-devtools/binutils/binutils/CVE-2022-47695.patch
new file mode 100644
index 0000000000..101a4cdb4e
--- /dev/null
+++ b/meta/recipes-devtools/binutils/binutils/CVE-2022-47695.patch
@@ -0,0 +1,57 @@
1From 3d3af4ba39e892b1c544d667ca241846bc3df386 Mon Sep 17 00:00:00 2001
2From: Alan Modra <amodra@gmail.com>
3Date: Sun, 4 Dec 2022 22:15:40 +1030
4Subject: [PATCH] PR29846, segmentation fault in objdump.c compare_symbols
5
6Fixes a fuzzed object file problem where plt relocs were manipulated
7in such a way that two synthetic symbols were generated at the same
8plt location. Won't occur in real object files.
9
10 PR 29846
11 PR 20337
12 * objdump.c (compare_symbols): Test symbol flags to exclude
13 section and synthetic symbols before attempting to check flavour.
14Upstream-Status: Backport [https://sourceware.org/git/?p=binutils-gdb.git;a=commitdiff;h=3d3af4ba39e892b1c544d667ca241846bc3df386]
15CVE: CVE-2022-47695
16Signed-off-by: Virendra Thakur <virendrak@kpit.com>
17Comment: Patch refreshed based on codebase.
18---
19 binutils/objdump.c | 23 ++++++++++-------------
20 1 file changed, 10 insertions(+), 13 deletions(-)
21
22diff --git a/binutils/objdump.c b/binutils/objdump.c
23index e8481b2d928..d95c8b68bf0 100644
24--- a/binutils/objdump.c
25+++ b/binutils/objdump.c
26@@ -935,20 +935,17 @@
27 return 1;
28 }
29
30- if (bfd_get_flavour (bfd_asymbol_bfd (a)) == bfd_target_elf_flavour
31+ /* Sort larger size ELF symbols before smaller. See PR20337. */
32+ bfd_vma asz = 0;
33+ if ((a->flags & (BSF_SECTION_SYM | BSF_SYNTHETIC)) == 0
34+ && bfd_get_flavour (bfd_asymbol_bfd (a)) == bfd_target_elf_flavour)
35+ asz = ((elf_symbol_type *) a)->internal_elf_sym.st_size;
36+ bfd_vma bsz = 0;
37+ if ((b->flags & (BSF_SECTION_SYM | BSF_SYNTHETIC)) == 0
38 && bfd_get_flavour (bfd_asymbol_bfd (b)) == bfd_target_elf_flavour)
39- {
40- bfd_vma asz, bsz;
41-
42- asz = 0;
43- if ((a->flags & (BSF_SECTION_SYM | BSF_SYNTHETIC)) == 0)
44- asz = ((elf_symbol_type *) a)->internal_elf_sym.st_size;
45- bsz = 0;
46- if ((b->flags & (BSF_SECTION_SYM | BSF_SYNTHETIC)) == 0)
47- bsz = ((elf_symbol_type *) b)->internal_elf_sym.st_size;
48- if (asz != bsz)
49- return asz > bsz ? -1 : 1;
50- }
51+ bsz = ((elf_symbol_type *) b)->internal_elf_sym.st_size;
52+ if (asz != bsz)
53+ return asz > bsz ? -1 : 1;
54
55 /* Symbols that start with '.' might be section names, so sort them
56 after symbols that don't start with '.'. */
57
diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2022-48063.patch b/meta/recipes-devtools/binutils/binutils/CVE-2022-48063.patch
new file mode 100644
index 0000000000..f41c02a02b
--- /dev/null
+++ b/meta/recipes-devtools/binutils/binutils/CVE-2022-48063.patch
@@ -0,0 +1,49 @@
1From 75393a2d54bcc40053e5262a3de9d70c5ebfbbfd Mon Sep 17 00:00:00 2001
2From: Nick Clifton <nickc@redhat.com>
3Date: Wed, 21 Dec 2022 11:51:23 +0000
4Subject: [PATCH] Fix an attempt to allocate an unreasonably large amount of
5 memory when parsing a corrupt ELF file.
6
7 PR 29924
8 * objdump.c (load_specific_debug_section): Check for excessively
9 large sections.
10Upstream-Status: Backport [https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=75393a2d54bcc40053e5262a3de9d70c5ebfbbfd]
11CVE: CVE-2022-48063
12Signed-off-by: Virendra Thakur <virendrak@kpit.com>
13Comment: Patch refreshed based on codebase.
14---
15 binutils/ChangeLog | 6 ++++++
16 binutils/objdump.c | 4 +++-
17 2 files changed, 9 insertions(+), 1 deletion(-)
18
19diff --git a/binutils/ChangeLog b/binutils/ChangeLog
20index e7f918d3f65..020e09f3700 100644
21--- a/binutils/ChangeLog
22+++ b/binutils/ChangeLog
23@@ -1,3 +1,9 @@
24+2022-12-21 Nick Clifton <nickc@redhat.com>
25+
26+ PR 29924
27+ * objdump.c (load_specific_debug_section): Check for excessively
28+ large sections.
29+
30 2021-02-11 Alan Modra <amodra@gmail.com>
31
32 PR 27290
33
34diff --git a/binutils/objdump.c b/binutils/objdump.c
35index d51abbe3858..2eb02de0e76 100644
36--- a/binutils/objdump.c
37+++ b/binutils/objdump.c
38@@ -3479,7 +3479,9 @@
39 section->size = bfd_section_size (sec);
40 /* PR 24360: On 32-bit hosts sizeof (size_t) < sizeof (bfd_size_type). */
41 alloced = amt = section->size + 1;
42- if (alloced != amt || alloced == 0)
43+ if (alloced != amt
44+ || alloced == 0
45+ || (bfd_get_size (abfd) != 0 && alloced >= bfd_get_size (abfd)))
46 {
47 section->start = NULL;
48 free_debug_section (debug);
49